review mandatory
This document defines Welcome Events (kind: 444) that enable secure group invitations in Marmot Protocol. Welcome Events provide everything new members need to join groups and start participating.
- Admin commits: Group admin includes a new member via a
Commitmessage - Wait for confirmation: Admin waits for relay acknowledgment of the Group Event
- Send Welcome: Admin sends a private
WelcomeEvent to the new member - New member joins: New member processes the Welcome and can start messaging
Clients creating Welcome Events MUST:
- Wait for confirmation: Don't send the Welcome until relays confirm receipt of the Commit
- Process before welcoming: Ensure the group state change is committed before inviting
This sequencing prevents race conditions where a new member receives a Welcome for a group state that hasn't been finalized yet.
This timing requirement applies to ALL member additions after initial group creation. When adding members to an existing group, the Commit message MUST be accepted by relays BEFORE sending the Welcome message.
Why this matters: The Welcome message contains the group state at a specific epoch. If the Welcome is delivered before the Commit reaches existing members, a state fork occurs:
- The new member activates at epoch N+1 (from the Welcome)
- Existing members remain at epoch N (haven't received the Commit yet)
- Messages sent by the new member cannot be decrypted by existing members
- Messages sent by existing members cannot be decrypted by the new member
- The group state diverges, requiring manual recovery
This is not a theoretical concern—distributed relay networks can deliver messages out of order. The only reliable prevention is waiting for relay confirmation of the Commit before sending the Welcome.
Note: Initial group creation (single-member group with no prior epochs) does not require this wait because there are no existing members who could have a conflicting state.
Welcome Events use NIP-59 gift-wrapping for privacy and unlinkability.
{
"id": "def456...",
"kind": 444,
"created_at": 1693876600,
"pubkey": "02a1633cafe37eeebe2b39b4ec5f3d74c35e61fa7e7e6b7b8c5f7c4f3b2a1b2c3d",
"content": "MDk4NzY1NDMyMWZlZGNiYS4uLg==",
"tags": [
["e", "keypackage_event_id_123..."],
["relays", "wss://relay1.com", "wss://relay2.com"],
["encoding", "base64"]
]
}Important: This event is NOT signed ("sig" field omitted) to prevent accidental public publishing if it leaks.
Required fields:
content: SerializedMLSMessagecontaining the MLSWelcomeobject, base64-encoded.encoding: Specifies the encoding format of thecontentfield. MUST be["encoding", "base64"]. Implementations MUST reject events with missing or unrecognized encoding tags. Hex encoding was used by early implementations but is no longer supported and MUST be rejected.etag: ID of the KeyPackage Event used to add this userrelaystag: List of relays where the new member should look for Group Events
Security note: The unsigned nature prevents the event from being accidentally published to public relays, as most relays reject unsigned events.
The content field contains a base64-encoded MLS Welcome object. The encoding format (base64 or hex) is specified by the encoding tag. The Welcome object includes:
- Group secrets: Cryptographic keys needed to decrypt group messages
- Group state: Current member list and group configuration
- Ratchet tree: Key tree structure for the group
- Extensions: Group metadata including Marmot Group Data Extension
When receiving a Welcome Event, clients MUST:
- Verify KeyPackage match: Ensure the referenced KeyPackage belongs to this user
- Process MLS Welcome: Use MLS library to process the Welcome and join the group
- Validate group state: Verify all group extensions and configurations, including the mandatory Marmot Group Data Extension (
0xF2EE) - Store group information: Save group keys, member list, and relay information
- Rotate KeyPackage: Remove the consumed KeyPackage from relays, optionally post a new fresh Keypackage
- Delete init_key: Securely delete the private init_key material from local storage (see MIP-00 Private Key Material Management)
- Perform self-update: Create and commit an Update proposal for your own LeafNode before sending any application messages (see below)
After successfully processing a Welcome message, clients SHOULD perform a self-update (MLS Update proposal for their own LeafNode) before sending any application messages. This is strongly recommended for forward secrecy.
When a member joins via a Welcome message, their LeafNode contains the key material from the KeyPackage that was used to add them. This means:
- The init_key was potentially exposed: The KeyPackage was published to relays and may have been observed or captured by adversaries
- Forward secrecy is limited: Until the member updates their LeafNode, any compromise of the init_key private material could allow decryption of group secrets
By performing an immediate self-update:
- Fresh key material is generated that was never published or observable
- The group epoch advances, providing forward secrecy for subsequent messages
- The risk window from KeyPackage exposure is minimized
- RECOMMENDED: Perform self-update immediately after processing Welcome, before sending any application messages
- MUST: Perform self-update within 24 hours of joining the group
Self-update Commits are explicitly allowed from any group member, regardless of admin status (see MIP-03). This ensures all members can maintain their own key hygiene without requiring admin privileges.
For groups above ~150 participants, welcome messages will become larger than is permitted by many Nostr relays. There is currently work underway on the MLS protocol to support "light" client
Welcomeobjects that don't require the full Ratchet Tree state to be sent to the new member. This section will be updated with recommendations for how to handle large groups.
If Welcome processing fails, clients SHOULD:
- Retain KeyPackage: Do NOT delete the KeyPackage from relays
- Display clear errors: Show user-friendly error messages
- Log technical details: Capture technical information for debugging
- Signing key unavailable: KeyPackage was created on a different device thus the secret key for the KeyPackage used to add the user to the group is not available.
Welcome Events are the secure onboarding mechanism for Marmot groups:
- MLS Welcome Object: Contains all cryptographic material for group access
- Gift-Wrapping: Provides privacy and unlinkability using NIP-59
- KeyPackage Reference: Links Welcome to the consuming KeyPackage
- Relay Information: Tells new members where to find Group Events
MUST implement:
- NIP-59 gift-wrapping with unsigned events
- Proper timing (wait for Commit confirmation)
- KeyPackage lifecycle management (relay deletion)
- Private init_key secure deletion after Welcome processing
- Self-update within 24 hours of joining (RECOMMENDED: immediately before sending messages)
- Graceful error handling with clear user messages